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Abstract — In this paper, a new identity-based identifica- 
tion scheme based on error-correcting codes is proposed. 

Two well known code-based schemes are combined : the 
signature scheme by Courtois, Finiasz and Sendrier and an 
identification scheme by Stern. 

A proof of security for the scheme in the Random Oracle 
Model is given. 

Index Terms — Identification, Identity-based Cryptogra- 
phy, Correcting codes, Stern, Niederreiter. 



I. Introduction 

ONE of the most critical points of public key cryptog- 
raphy (PKC) is that of the management of the au- 
thenticity of the public key. It is the very single point that 
anchors public key cryptography to the real world. If no 
such a mechanism is provided the consequences are fatal. 
In fact, if Alice is able to take Bob's identity by faking her 
own public key as Bob's one, she would be able to decipher 
all messages sent to Bob or to sign any message on behalf 
of Bob. 

In 1984, Shamir introduced the concept of Identity-based 
Public Key Cryptography ID-PKC [57] in order to simplify 
the management and the identification of the public key, 
which, time passing by, had become more and more com- 
plex. 

In ID-PKC the public key of an user is obtained from 
his identity id on the network. The identity id can be a 
concatenation of any publicly known information that sin- 
gles out the user : a name, an e-mail, or a phone number, 
to name a few. Hence it is not longer necessary to ver- 
ify a certificate for the public key nor to access a public 
directory to obtain a certificate. At first glance it seems 
simple but producing private keys becomes more complex. 
In particular a user can not build his own private key by 
himself anymore, and it is necessary to introduce a trusted 
third party who constructs the private key from the user's 
identity and sends it to the user. This process has to be 
done at least once for each user. 
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Shamir [57] calls this trusted third party the Key Gen- 
eration Center (KGC). The KGC is the owner of a system- 
wide secret, thus called the master key. After successfully 
verifying (by non-cryptographic means) the identity of the 
user, the KGC computes the corresponding user private 
key from the master key, the user identity id and a trap- 
door function. 

Identity-based systems resemble ordinary public-key sys- 
tems, in the sense that both involve a private transforma- 
tion (i.e. decrypting) as well as a public transformation 
(i.e. encrypting). However, in identity-based systems users 
do not have explicit public keys. Instead, the public key is 
effectively replaced by (or constructed from) a user's pub- 
licly available identity information. 

The motivation behind identity-based systems is to cre- 
ate a cryptographic system resembling an ideal mail sys- 
tem. In this ideal system, knowledge of a person's name 
alone suffices for confidential mailing to that person, and 
for signature verification that only that person could have 
produced. In such an ideal cryptographic system : 

1. users need not exchange neither symmetric keys nor 
public keys; 

2. public directories (databases containing public keys 
or certificates) need not be kept; 

3. the services of a trusted authority are needed solely 
during a set-up phase (during which users acquire au- 
thentic public system parameters). 

A drawback in many concrete proposals of identity-based 
systems is that the required user-specific identity data in- 
cludes additional data, taking the form of an integer or 
public data value for instance, denoted DA, beyond an a 
priori identity ID. Ideally. DA is not required, as a primary 
motivation for identity-based schemes is to eliminate the 
need to transmit public keys, to allow truly non-interactive 
protocols with identity information itself sufficing as an au- 
thentic public key. We will refer to the latter systems as 
pure identity-based systems. The issue is less significant in 
signature and identification schemes where the public key 
of a claimant is not required until receiving a message from 
that claimant (in this case DA is easily provided); but in 
this case, the advantage of identity-based schemes dimin- 
ishes. It is more critical in key agreement and public-key 
encryption applications where another party's public key 
is needed at the outset. 

In his paper Shamir proposed identity-based signature 
and identification systems based on the RSA or Dis- 
crete Logarithm problems. The first efficient provably se- 
cure identity-based encryption cryptosystcm featuring the 
above mentioned non-interactive property was proposed in 
2001 by Boneh and Franklin [IB]. This system is based 
on the Weil pairing over certain families of elliptic curves. 
The same year, Cocks [10] published a system based on 
quadratic residuosity but a rather large message expansion 
makes it somewhat inefficient in practice. 

Following the paper by Boneh and Franklin, research 
on ID-PKC has made great advances and lots of schemes 
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have been published, most of them based on elliptic curves 
and bilinear pairings, such as identity-based encryption 
(IBE) schemes [3], identity-based key agreement schemes 
[5] , identity-based identification (IBI) or identity-based sig- 
nature (IBS) schemes 0, [35], [33]. In 2004 Bellare, Neven 
and Namprempre proposed in [I] a general framework de- 
riving IBI or IBS from traditional public key-based sig- 
nature and identification schemes and they applied it to 
concrete known schemes. The resulting systems are not 
pure identity-based and only schemes based on number 
theoretic problems were considered. 

In this paper, we propose and formally study a new IBI 
scheme built from error-correcting codes. 

Code-based cryptography was introduced by McEliece 
[23], a variation of which was later proposed by Niederre- 
iter [25] . The idea of using error-correcting codes for iden- 
tification purposes is due to Harari [20: , followed by Stern 
(first protocol) and Girault [T7]. But Harari and Girault 
protocols were subsequently broken, while Stern's one was 
five-pass and unpractical. At Crypto'93, Stern proposed a 
new scheme [30], which is still today the reference in this 
area. 

For a long time no code-based signature scheme was 
known, eventually the first (not yet cryptanalyzcd) one was 
proposed by Courtois, Finiasz and Sendrier [11] (CFS) in 
2001. The basic idea of the CFS signature scheme is to 
choose parameters such that an inversion of the otherwise 
non-invertible Niederreiter scheme is feasible. This is done 
at the cost of a rather large public key when comparing to 
other signature schemes. Still signature length is short. 

We obtain our new IBI scheme by combining the CFS 
signature scheme and the identification scheme by Stern. 
The basic idea of our scheme is to start from a Niederreiter- 
likc problem which can be inverted like in the CFS scheme. 
This permits to associate a secret to a random (public) 
value obtained from the identity of the user. The secret and 
public values are then used for the Stern zero-knowledge 
identification scheme. 

The paper is organized as follows. In Section [IT] we in- 
troduce notation and definitions, while in Section IIIII we 
recall basic facts on code-based cryptography. Section QV] 
is devoted to describe the public key encryption scheme of 
Niederreiter and the signature scheme of Courtois, Finiasz 
and Sendrier. The identification protocol of Stern is pre- 
sented in SectionfV] and next our new protocol is described 
in Section IVII In Section IVIII we give a proof of security 
for our scheme in the Random Oracle Model [2]. 

Finally in Section [Villi we give concrete parameters and 
conclude in Section ILXl 

Publication info. This is the full version of a previously 
publish conference extended abstract [7]. 

II. Notation and definitions 

WE first introduce some notation. If x is a string, 
then | a; | denotes its length, while if S is a set then 
| S | denotes its cardinality. If k € N then 1 K denotes the 
string of k ones. 



If S is a set then s «— S denotes the operation of picking 
an element s in S uniformly at random. Unless otherwise 
indicated, algorithms are modelled as Probabilistic Poly- 
nomial Time (PPT) algorithms. We write A(x, y, . . .) to 
indicate that A is an algorithm with inputs x,y,... and 
by z <— A(x,y, ...) we denote the operation of running A 
with inputs (x,y,...) and letting z be the output. We 
write A 0l '° 2 ' ' (x,y, . . .) to indicate that A is an algorithm 
with inputs x, y, . . . and access to oracles 01,02, ■ ■ ■ and by 
z i— jX 01 ' 02 ' —(x,y, . . .) we denote the operation of running 
A with inputs (x, y, ...) and access to oracles 0i,02,... 
and letting z be the output. 

Provers and verifiers. Aii interactive algorithm is a 
statcful PPT algorithm that on input an incoming message 
M m (this is e if the party is initiating the protocol) and 
state information St outputs an outgoing message M 0Vl i 
and updated state St. The initial state contains the initial 
inputs of the algorithm. We say that A accepts if M ou ^ = 
acc and rejects if M ou ^ = rej. An interaction between a 
prover P and a verifier V, both modelled as interactive 
algorithms, ends when V cither accepts or rejects. The 
expression : 

(C,d) ^Run[P(pi,...)^V(«i,...)] 

denotes that P and V have initiated in an interaction 
with inputs pi, ■ ■ ■ and v\, . . . respectively, getting a con- 
versation transcript C and a boolean decision d, with 1 
meaning that V accepted, and meaning it rejected. 

Standard identification schemes. A standard identi- 
fication scheme s = (Kg, P,V) consists of three PPT algo- 
rithms : 

Key generation algorithm Kg takes as input a secu- 
rity parameter k and returns a secret key SK and 
a matching public key PK. We use the notation 
(SK,PK) ^Kg(l K ). 

Interactive identification protocol, where the prover 
runs P with initial state SK , while the verifier has ini- 
tial state PK. It is required that for all k £ N and valid 
key pairs (PK,SK), the output by V in any interac- 
tion between V (with input PK) and P (with input 
SK) is acc with probability one. 

Standard Signatures. A standard signature scheme 
S = (KG, Sign, Vfy) consists of three PPT algorithms : 
Key generation algorithm KG takes as input a secu- 
rity parameter k and returns a secret key SK and 
a matching public key PK. We use the notation 
(SK, PK) <— KG(1 K ). 
Signing algorithm Sign takes as input a secret key SK 
and a message to. The output is a signature sig SK (to) . 
This is denoted as sig SK (m) <— S\gr\(SK,m). 
Verification algorithm Vfy takes as input a public key 
PK , a message to, and a signature sig = sig SK (m). 
The output is 1 if the signature is valid, or otherwise. 
We use the notation {0, 1} <— Vfy(Pif ,to, sig) to refer 
to one execution of this algorithm. 
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The standard security notion for signature schemes is 
unforgcability against adaptively-chosen message attacks, 
which can be found in [19] . 

Identity-Based identification. An identity-based 
identification scheme i<ss = (MKg, UKg, P, V) consists of 
four PPT algorithms, as follows : 

Master-key generation algorithm MKg takes as in- 
put a security parameter k and returns, on one hand, 
the system public parameters mpk and, on the other 
hand, the matching master secret key msk, which 
is known only to a master entity. It is denoted as 
(mpk, msk) <- MKG(1 K ). 
Key extraction algorithm UKg takes as inputs the 
master secret key msk and an identity id <E {0,1}*, 
and returns a secret key SK[id]. We use the notation 
SK[id] <- UKg(msk,id). 
Interactive identification protocol, where the prover 
with identity id runs the interactive algorithm P with 
initial state SK[id], and the verifier runs V with initial 
state mpk, id. 

Security of IBI schemes. An IBI scheme is said to be 
secure against impersonation under passive attacks (imp- 
pa) if any adversary A = (CP, CV), consisting of a cheating 
prover CP and a cheating verifier CV, has a negligible ad- 
vantage in the following game : 

Setup The challenger takes a security parameter k and 
runs the master key generation algorithm MKg. It gives 
mpk to the adversary and keeps the master secret key msk 
to itself. It initializes an empty list U K^ s ^ . 

Phase 1 The adversary issues queries of the form 

- User key query (XT>i). The challenger checks whether 

there exists an entry (idi, SK[idi]) in the list UK^". 
If this is the case, it retrieves the user secret key 
SK[idi\. Otherwise, it runs algorithm UKg to gen- 
crate the private key SK [idi] corresponding to idi. It 
sends SK[idi] to the adversary. It includes the entry 
{idi,SK[idi]) in the list UK list . 

- Conversation query (12?,). The challenger checks 
whether there exists an entry (idi, SK [idi]) in the list 
UK^ S ^. If this is the case, it retrieves the user se- 
cret key SK[idi]. Otherwise, it runs algorithm UKg 
to generate the private key SK [idi] corresponding to 
IT>i. The challenger returns (C,d) where (C, d) <— 
Run[CP{SK[idi]) «-> V (mpk, id,)]. 

These queries may be asked adaptively, that is, each 
query may depend on the answers obtained to the previous 
emeries. 

Challenge The cheating verifier CV outputs a target 
identity id* and its state St-^g-, such that the private key 
for id* was not requested in Phase 1. 

Phase 2 The cheating prover CP, with input St(y, in- 
teracts with a honest verifier with input mpk, id*. The 
cheating prover is allowed to query the same oracles as 



in Phase 1, except that the query id* is not allowed. Fi- 
nally, A wins if the output of V is accept, i.e. d = 1 in 
(C,d) <- Run[CP(SK[idi]) <-> V (mpk, idi)]. 

Such an adversary is called an imp- pa adversary A, and 
its advantage is defined as Adv™f^ pa (l e ) = Pr[d = 1]. 

III. Code-based cryptography 

IN this section we recall basic facts about code-based 
cryptography. We refer to the work of Scndrier [26j for 
a general introduction to these problems. 

A. Hard problems 

Every public key cryptosystem relies on 

a hard problem. In the case of coding theory, the main 
hard problems used are the Bounded Decoding (BD) and 
Code Distinguishing (CD) problems. 

Definition III.l (Bounded Decoding Problem) Let 

n and k be two integers such that n > k and H a parity 
check matrix. Binary(n, k) represents a random binary 
matrix of n columns, k rows and of rank k. 



R in>n—k 



Input : H <— Binary(n,fc) and s <— F£ 
Ouput : A word eSFJ such that wt(e) < 
He T = s 



n — k 
log 2 n 



Let us denote by Adv^ D (n, k) the probability that an algo- 
rithm C has in solving the above problem. 
This problem was proven to be NP-complete in [3] . 

Definition III. 2 (Code Distinguishing Problem) 

Let n and k be two integers such that n > k and H a 
parity check matrix. 

Input : H ^- Goppa(n, k) or H <^ Binary(n,fc). 



Ouput 



1 if H € Goppa(n, k), b = otherwise. 



Adv£, D (n,k) = \Pv[V(H) = 1 | H £ Goppa(n, k)] 

- Pr[V(H) = l\L?£ Binary(n, k)] \ . 

The description of a Goppa code Goppa(n, k) of length 
n and dimension k is to be found in |22j . 

B. McEliece scheme 

[Key Generation] Let C be a g-ary linear code t- 
correcting of length n and of dimension k. We denote 
C(n,k,d) a such code. Let G a generator matrix of C. 
We will use an G' matrix such that : 



G' = SHP 



S is invcrtiblc 

P is a permutation matrix 



G' is public and its decomposition and a syndrome decod- 
ing algorithm for C are secret. To be clearer, we recall the 
various sizes of the matrices : 

S is n — k x n — k, H is n x n — k, P is n x n. 
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[Encryption] Let E q , n , t bet the space of F™ words with 
Hamming weight t. For a chosen cleartext x € -E 9l n,t, 
y is the cryptogram corresponding to x if and only if 
y = xG' + e. 

[Decryption] For y = xG' + e, the knowledge of the secret 
key allows : 

1. to compute u = yP^ 1 , ; 

2. to find u' from u thanks to a syndrome decoding al- 
gorithm; 

3. to find x = u'S~ 1 . 

The syndrome decoding algorithm can be, for instance, 
in the case of Goppa's codes, Patterson's algorithm (see 
part E| . 

C. Cryptanalytic Attacks 

The security of code-based cryptosystems depends on 
the difficulty of the following two attacks : 

(i) Structural Attack : Recover the secret transforma- 
tion and the description of the secret code(s) from the 
public matrix. 

(ii) Ciphertext-Only Attack : Recover the original mes- 
sage from the ciphertext and the public key. 

C.l Structural Attack 

While no efficient algorithm for decomposing G' into 
(S,G,P) has been discovered yet [24] , a structural attack 
has been discovered in [5T] . This attack reveals part of the 
structure of a so-called weak G' where 'weak' means that 
G' has been generated from a binary Goppa polynomial 
in a special manner. However, this attack can be avoided 
simply by not using such weak public keys. 

Structural attacks aim at recovering the structure of the 
permuted code, i.e. recovering the permutation from the 
code and its permuted version. The underlying problem is 
the equivalence of codes. This problem was considered by 
Scndrier for which he gave a nice solution : the Support 
Splitting Algorithm [21)] . 

The complexity of this algorithm is in 
O(2 dimcnsion ( cnci )) where C x is the dual of the code 
C. This means that in order to resist the attack one gets 
two options : either starting from a large family of codes 
with arbitrary small hulls (the intersection of C and C ) 
or starting from a small family of codes but with a large 
hull. 

For instance the choice of Goppa codes corresponds to 
the first possibility. 

C.2 Ciphertext-Only Attack 

A first analysis using the Information-Set-Decoding was 
done by McEliccc, then by Lee and Brickcll, Stern and 
Leon and lastly by Canteaut and Chabaud (see [6] for all 
references) . 

The Information-Sct-Dccoding Attack is one of the 
known general attacks (i.e., not restricted to specific codes) 
and seems to have the lowest complexity. 



One tries to recover the k information symbols as fol- 
lows : the first step is to pick k of the n coordinates ran- 
domly in the hope that none of the k are in error. We 
then try to recover the message by solving the k x k linear 
system (binary or over ¥ q ). Let G' k ,Ck and z k denote the k 
columns picked from G',c and z, respectively. They have 
the following relationship 

c fc = mG' k + z k . 

If z k = and G' k is non-singular, m can be recovered by 

to = c k G'l . 

The computation cost of this version is T(k) x P n ,k,t, 
where 

The quantity T(k) in the average work factor is the num- 
ber of operations required to solve a k x k linear system 
over ¥ q . As mentioned in [53] , solving a k x k binary sys- 
tem takes about fc 3 operations. Over ¥ q , it would require 
at least (k x log 2 q) 3 operations. 

All the papers which improve the complexity only im- 
pact the cost of the Gaussian elimination. In the best 
improvement by Canteaut and Chabaud [6] a good ap- 
proximation of the cost besides the probability factor can 
be taken roughly in (k x log 2 <?) 2 . 

Apart from these general attacks there are some attacks 
targeting McEliece cryptosystem using specific codes (see 
EE], EB, H, PI for exemple). 

IV. Signature scheme of Courtois, Finiasz and 
Sendrier (or CFS scheme) 

BEFORE describing the CFS scheme we first recall the 
Niederreiter public key cryptosystem. 

A. Niederreiter encryption scheme 

[Key Generation] Let C be a binary linear code t- 
correcting of length n and of dimension k. Let H a parity 
check matrix of C. We will use an H matrix such that : 

H — GHP { ^ 1S mver t^ e 

1 P is a permutation matrix 

H is public and its decomposition and a syndrome decod- 
ing algorithm for C are secret. 

To be clearer, we recall the various sizes of the matrices : 
Q is n — k x n — k, H is n x n — k, P is n x n. 
Let E q . n j bet the space of F™ words with Hamming 
weight t. 

[Encryption] For a chosen cleartext x in E q ^ n , t , y is the 
cryptogram corresponding to x if and only if y = Hx T . 

[Decryption] For y = Hx T , the knowledge of the secret 
key allows : 

1. to compute Q~ x y (= HPx T ); 
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2. to find Px T from Q~ 1 y thanks to a syndrome decod- 
ing algorithm; 

3. to find x applying P _1 to Px T . 

The syndrome decoding algorithm can be, for instance, in 
the case of Goppa's codes, Patterson's algorithm (see part 

E}. 

The McEliecc or the Niederreiter schemes are not natu- 
rally invcrtible, i.e. if one starts from a random clement y 
of and a code C[n,k,d] that we are able to decode up 
to d/2, it is almost sure that we won't be able to decode 
y into a codeword of C. This comes from the fact that the 
density of the whole space that is decodablc is very small. 

B. CFS signature scheme 

The idea of the CFS scheme is to find parameters 
[n,k,d] that make successful the strategy of picking up 
random elements until one is able to decode it with high 
probability. More precisely, given M a message to sign 
and h a hash-function with range {0, l}™~ fe , we try to 
find a way to build s £ FI? of given weight t such that 
h(M) = Hs T . For Vecode(-) a decoding algorithm, the 
CFS scheme works as follows : 

[Key Generation] 

1. Select n, k and t according to the security parameter 

K. 

2. Pick a random parity check matrix H of a (n, k)- 
binary Goppa code decoding t errors. 

3. Choose a random (n — k)x (n—k) non-singular matrix 
Q, a random nxn permutation matrix P and a hash- 
function h : {0, 1}* — > F£- fe . 

4. The public key is H = QHP and the private key is 
(Q,H,P). 

5. Set t = ^-,i = 0. 

log 2 n ' 

[Sign] 

1. i<— i + 1 

2. x' = Decode^ {Q~ 1 h(m\\i)) 

3. if no x' was found go to 1 

4. output (i,x'P) 

[Verify] Compute s' = Hx' T and s = h(m\\i). The signa- 
ture is valid if s and s' are equal. 

We get at the end an {s,j} couple, such that : 

h(M © j) = Hs T . 

Let us notice that we can suppose that s has weight 
t = [d/2]. In [T2], a proof of security in the Random Or- 
acle Model for a modified version of the CFS scheme is 
given. We use the modified CFS scheme described there, 
and named as mCFS, as a building block for our scheme. 
The mCFS scheme is explained next. 

C. Modified CFS signature scheme 

[Key Generation] 

1. Select n, k and t according to k. 

2. Pick a random parity check matrix H of a (n, k)- 
binary Goppa code decoding t errors. 



3. Choose a random (n — k) x (n—k) non-singular matrix 
Q, a random nxn permutation matrix P and a hash- 
function h : {0, 1}* — > Ep fe . 

4. The public key is H = QHP and the private key is 
(Q,H,P). 

5. Set t=f*=*-. 

log 2 n 

[Sign] 

1. ;£{i,...,2™- fe } 

2. x' ^Vecode^(Q- l h(m\\i)) 

3. if no x' was found go to 1 

4. output (i,x'P) 

[Verify] Compute s' = Hx' T and s = h(m\\i). The signa- 
ture is valid if s and s' are equals. 

V. Stern's protocol 

STERN'S scheme is an interactive zero-knowledge pro- 
tocol which aims at enabling a prover P to identify 
himself to a verifier V. 

Let n and k be two integers such that n > k. Stern's 
scheme assumes the existence of a public (n — k)xn matrix 
H defined over the two elements field F2. It also assumes 
that an integer t < n has been chosen. For security rea- 
sons (discussed in |30j ) it is recommended that t is chosen 
slightly below the so-called Gilbert- Varshamov bound (see 
[22]). The matrix H and the weight t are protocol parame- 
ters and may be used by several (even numerous) different 
provers 

Each prover P receives a n-bit secret key SK (also de- 
noted by s if there is no ambiguity about the prover) of 
Hamming weight t and computes a public identifier PK 
such that ip — HSK T . This identifier is calculated once 
in the lifetime of H and can thus be used for several iden- 
tifications. When a user P needs to prove to V that he is 
indeed the person associated to the public identifier PK, 
then the two protagonists perform the following protocol 
where h denotes a standard hash-function : 

[Commitment Step] P randomly chooses y £ and a 
permutation a of {1,2, . . . ,n}. Then P sends to V the com- 
mitments ci, C2 and C3 such that : 

a = h(a\\Hy T )- c 2 = h(a(y)); c 3 = h(a{y © SK)), 

where /i(a||6) denotes the hash of the concatenation of the 
sequences a and b. 

[Challenge Step] V sends b £ {0,1,2} to P. 

[Answer Step] Three possibilities : 

• if b = : P reveals y and a. 

. if b = 1 : P reveals (y © SK) and a. 

• if b = 2 : P reveals a(y) and a(SK). 

[Verification Step] Three possibilities : 

• if b = : V verifies that c\,ci are correct. 
< if b = 1 : V verifies that 01,03 are correct. 
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• if b = 2 : V verifies that 02,03 are correct, and that 
the weight of a(s) is t. 

[Soundness Amplification Step] Iterate the above steps 
until the expected security level is reached. 

During the fourth Step, when b equals 1, it can be no- 
ticed that Hy T derives directly from H(y® SK) T since we 
have : 

Hy T = H{y ® SK) T ® PK = H(y © SK) T © HSK T . 

As proved in [30j , the protocol is zero- knowledge and for 
a round iteration, the probability that a dishonest person 
succeeds in cheating is (2/3). Therefore, to get a confi- 
dence level of /3, the protocol must be iterated a number 
of times k such that (2/3) k < (3 holds. When the number 
of iterations satisfies the last condition, then the security 
of the scheme relies on the NP complete problem SD. 

By virtue of the so-called Fiat-Shamir Paradigm [15], 
it is possible to convert Stern's Protocol into a signature 
scheme, but the resulting signature size is long (about 140- 
kbit long for 2 80 security). Notice that this is large in 
comparison with classical signature schemes, but it is more 
or less close to the size of many files currently used in 
everyday life. 

VI. New Identity-based identification scheme 

FROM STERN-NlEDERREITER PROTOCOLS 

WE describe now the first code-based identity-based 
identification method. The prover is identifying her- 
self to the verifier. Let ids,idp be the prover and of the 
identifier identities respectively. 

[Master key generation] Let C, H, H = QHP the out- 
put of the key generation algorithm of the CFS signature 
scheme in Section ITVl Let h a hash function mapping to 
{0,l} n ~~ k . H is made public, but the decomposition of H 
is a secret of the authority. 

[Key extraction] On inputs the the decomposition 
of H and the user's identity idp the goal of the key 
extraction algorithm is to output s G E q ,n,t such that 
h{idp) = Hs T . However h{idp) might not be in the 
target of x — > Hx T . That is to say that h(idp) is not 
necessarily in the space of dccodablc elements of F2 . That 
problem can be solved thanks to the following algorithm. 
Given T>ecode{-) a decoding algorithm for the hidden code : 

1. z£{l,...,2"- fe } 

2. x' = Decode ^ (Q 1 h(idp\\i)) 

3. If no x' was found go to 1 

4. output (i,x'P) 

We get at the end a couple {s, j}, such that 
h{idp\\j) = Hs T . We can note that we have s of 
weight t or less. 



[Interactive identification] We use a slight derivation 
of Stern's protocol. We suppose that the prover obtained 
a couple {s,j} verifying h(idp\\j) — Hs T . h{idp\\j) is 
set to be the prover's public key. Identification is then 
performed by modifying Stern's protocol with respect to 
the public key h(idp\\j). Details follow. 

[Commitment Step] P chooses randomly any word y 
of n bits and a permutation a of { 1 , 2 , . . . , n} . Then P sends 
to S : ci , C2 , C3 , j such that : 

ci = h{a\\Hy T ); c 2 = h(a(y)); c 3 = h(a(y © a)) 

[Challenge Step] S sends be {0,1,2} to P. 

[Answer Step] Three possibilities : 

• if b = : P reveals y and a. 

• if b = 1 : P reveals (y © s) and a. 

• if b = 2 : P reveals a(y) and a(s) 

[Verification Step] Three possibilities : 

• if b = : S verifies that the ci , c 2 received at the second 
round are correct. 

• if b = 1 : S verifies that the c\ , C3 received at the 
second round are correct. For c\ we can note that 
Hy T derives directly from H(y® s) T by : 

Hy T = H{y © s) T © Hs T 

• if b = 2 : S verifies that the c 2 , C3 received at the 
second round have really been honestly calculated, 
and that the weight of s.a is t. 

[Soundness Amplification Step] Iterate the commit- 
ment, challenge, answer and verification steps until the ex- 
pected security is reached. 

Thanks to the Fiat-Shamir heuristic [T5] it is possible to 
derive an identity-based signature scheme from the above 
identity-based identification scheme. Since this is a well- 
known cryptographic result, we refer the reader to [15j . pQ 
for details. 

VII. Proving Security of mCFS-Stern IBI scheme 

Theorem 1 The IBI scheme from Section TVH is secure in 
the sense of imp-pa if the BD and CD problems are hard 
to solve. 

Proof: A security reduction is obtained by adapting 
the proofs by Dallot [12] and Stern [31] to our setting. We 
build the proof following a sequence of games Game 0, 
Game 1, . . . Game is the original attack game, i.e the 
standard imp-pa game. Successive games are obtained by 
small modifications of the preceding games, in such a way 
that the difference of the adversarial advantage in consec- 
utive games is easily quantifiable. To compute this differ- 
ence, the following lemma is used : 

Lemma 1 Let Xi,Xi + \, B be events defined in some prob- 
ability distribution, and suppose that Xi A -<B <J=> V; + i A 
-nB. Then \Pr[X t ] - Pr[X i+1 ] \ <Pr[B\. 
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Let <?/i ,<?£■, <Zc denote the maximum number of queries 
that adversary A makes to the hash, user keys and conver- 
sation oracles. 

We want to show there exists adversaries C,V that break 
the BD and CD problems respectively. 

To answer hash, user key and conversation queries, three 
lists h list ,UK list and A arc maintained. If there is no value 
associated with an entry in a list, we denote its output 
by _L. The list /i us ^ consists of tuples of the form (x,s) 
indexed by (id,i), where i is an index in {1, . . . ,2"- fc }, id 
is an identity, and Hs T = x = h(id, i) if x s. The 

list UK^ S ^, consists of entries of the form (id,sk[id\). The 
list A contains indexes A(m) associated to a message m, 
for which the simulator is able to produce a signature on 
h(m, A(m)). 

Game 0. This the standard imp-pa game. The mas- 
ter public and secret keys are obtained by running algo- 
rithm Gen m cFs(l K ) I n particular, the master public key 
H = QHP plus a hash-function h : {0,1}* -> F%~ k , and 

the master secret key is (Q,H,P), where H <— Goppa(n,fc), 
Q is a non-singular (n — k) x (n — k) matrix and P is a n x n 
permutation matrix. Therefore Pr[ATo] = Adv 1 ™^ 1 " . 

Game 1. (Simulation of hash and user key queries) We 
change the way in which hash and user key extraction 
queries are answered. For hash queries of the form (id,i), 
there arc two situations, depending on whether i = A(id). 
If this is the case, a decodable syndrome x = Hs T is given 
as the output, and the corresponding code- word s is stored, 
i.e. h^ s ^ is updated with (x, s) in the entry indexed by 
(id,i). If i =/= A(id) hash queries arc simulated by taking a 
random element in F£ , and then these queries are dis- 
tributed as with a random oracle. Details are shown in 
Figure 1. 

On the other hand, user key queries on id are answered 
by choosing the special index A(id) at random, calling the 
hash oracle on (id,A(id)) and outputting (s,i) as the re- 
sulting user secret key. Details are shown in Figure 2. 

At the end of the simulation, the random oracle h has 
output qh + qE + 1 syndromes. Some of them arc pro- 
duced with the special index i = A(id); these syndromes 
are not distributed uniformly at random in F 2 _ , instead 
they have been modified as to enable responding user se- 
cret key queries. It might be then the case that adversary 
A queried h on some pair (id,j) such that later j is set 
to A(id). This will cause an incoherence, since then the 
output h(id,j) will be a random syndrome, instead of a 
decodable syndrome. The latter happens with probability 
at most 2 n- K (the indexes A(id) are only defined when 
answering key extraction queries). Therefore, 

|Pr[Xo]-Pr[X x ]|<^ 

Game 2. (Changing the master key generation algorithm) 
The key generation algorithm is changed so that H <— 



Binary(n,fc). Then, 

|Pr[X 2 ]-Pr[Xi]| < Advg D (n) 

where T> is an algorithm that simulates the environment of 
Game 2 for A if H <— Goppa(n,fc) and outputs d = 1 if A 
successfully impersonates the target identity id*, and d = 
otherwise; and T> simulates the environment of Game 3 for 
A if H Binary(n,fc) and outputs d = 1 if A successfully 
impersonates the target identity id* , and d = otherwise. 
It is easy to see that 

Pr[H £ Goppa(n, k) : V(H) = 1] = Pr[X 2 ]. 

and 

Pt[H ^ Binary(n, k) : V(H) = 1] = Pr[X 3 ]. 



Input: A pair (id,i) 
Output: A syndrome s 
(s,x) <- /i list (m,i); 
if i ^ A(id) then 
if s =_L then 

x£F*- k ; 

h list (id,i)^(x,±); 
end 

return h(id,i) = x; 
else 

if x =_L then 

s £ {w <=W2\wt(w) <t}; 
x <- Hs T - 
h hst {id,i)^(x,s); 
end 

return h(id,i) = x; 
end 



Fig. 1 - Simulation of hash queries 



Input: An identity id 
Output: A user secret key 

(s,id) 
if A(id) =_L then 

I A(zd)£{l,...,2"- fc }; 
end 

(x,s) <— h(id,A(id)); 
i <— A(id); 
A(id) <-_L; 

return sk[id] = (s,i); 



Fig. 2 - Simulation of user key queries 

Game 3. (Guessing the target identity) A random index 
j+ £l jq ; _ _ _ : q h _|_ q E _|_ q c y [ s taken. The j + -th hash query 

(id + ,i + ) to is set to be Q(x + ) T , where x + ^ F r 2 l ~ fc , i.e. 
h(id+,i+) = Q(x+) T . The probability space is not modi- 
fied, since x 

+ 4L F' 2 l " fc and Q is non-singular, and therefore 
Pr[X 3 ]=Pr[X 2 ]. 
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Game 4. (Abort the game) 

Let (id*,i*) be the target identity and target index that 
A impersonates. If id* ^ id + or i* ^ i + then the challenger 
aborts the game. Since Game 4 is obtained by conditioning 
Game 3 on an independent event of probability gg+ ^ E+1 
we obtain 



Pr[X 4 



Pr[X 3 



qH + q_E 



Game 5. (Answering conversation queries on the tar- 
get identity id*) We have to answer conversation queries 
on id* without knowing the code word s* correspond- 
ing to h(id*,i*) = x* , i.e. s* such that x* = Hs + and 
x = Q(x+) T . We can answer these queries in expected 
polynomial time by using the algorithm in Theorem 3 
in [31]. Roughly, the algorithm uses a resettable simu- 
lation [18] . At the beginning of each iteration of the basic 
identification protocol, the algorithm chooses at random 
one out of three cheating strategies, where each strategy 
allows to successfully interact with a cheating verifier CV 
with probability 2/3. In case the algorithm can not suc- 
cessfully interact with CV, it resets the adversary A for the 
current round (see [31] for details). All in all, the proba- 
bility space is not modified, and then Pr[A 5 ] = Pr[A 4 ]. 

Theorem 1 in |31| implies that an adversary A imper- 
sonating the user with identity id* when running k rounds 
of the basic protocol and with advantage (2/3) fe + ei for a 
non-negligible t\ > 0, can be converted into a PPT algo- 
rithm computing s* such that H(s*) T = x* with probabil- 
ity e\ /10. A basic calculation shows that (s + ) T = P(s*) T is 

a solution to the BD problem with inputs H Binary(n, k) 

and x + F£~ k ■ Let C be an algorithm that simulates 
Game 5 for the impersonating adversary A using the in- 
put of the BD problem. Then, 



Adv 



BD 



> 



(Pr[A 5 ] - (2/3) A 



10 



Collecting all the probabilities 



(2/3) fc + e <Adv',7J 



2 n ~ k 

qE 

On — k 



Ad^ D {n)+PT[X 5 ](q h + q E + l) 



Adv£, D (n) 



((Adv^ D ) 1 /3 + (2 /3) fc ) 10^(q h 



■ QE + 1) 



and then 



e<2^+Adv?(n) + 

f(Adv§ D )4 + (l--|=)(|)* 



The latter equation can be read as follows : a successful 
impersonating adversary with advantage (|) fc + e implies a 
successful adversary against the BD or CD problems. 



VIII. Efficiency Analysis 

WE deal here with the security our protocol and its 
practicality. Let us remind that in the case of 
Niederreiter's cryptosystem, its security relies on the hard- 
ness of decoding of a linear code (see section IIII[) . 

A. Parameters and security of the scheme 

The protocol has two parts : in the first part one inverts 
the syndrome decoding problem for a matrix H in order 
to construct a private key for the prover and in second 
part one applies Stern identification protocol with the same 
matrix H . This shows that the overall parameters of the 
scheme are equivalent to the security of the CFS scheme, 
since the security of the Stern scheme with the same matrix 
parameters is implicitly included in the signature scheme. 

In particular the scheme has to fulfill two imperative 
conditions : 

1. make the computation of {s,j} (defined in advance) 
difficult without the knowledge of the description of 
H, 

2. make the number of trials to determine the correct j 
not too important in order to reduce the cost of the 
computation of s. 

Following [11] the Goppa [2 m , 2 m — tm, t] codes are a 
large class of codes which are compatible with condition 
2. Indeed, for such a code, the proportion of the decod- 
able syndromes is about l/t\ (which is a relatively good 
proportion). We also have to choose a relatively small t. 

The {s,j} production process will thus be iterated, 
about i! times before finding the correct j. But each it- 
eration forces to compute D(h(idp\\j)). 

The decoding of the Goppa codes consists of : 

• computing a syndrome : t 2 m 2 /2 binary operations; 

• computing a locator polynomial : 6t 2 m binary oper- 
ations; 

• computing its roots : 2t 2 m 2 binary operations. 

We thus get a total cost for the computation of the 
prover's private key of about : 

t\t 2 m 2 {l/2 + 2 + 6/m) binary operations 

The cost of an attack by decoding thanks to the split 
syndrome decoding is estimated to : 2 tm ( 1 / 2+ °( 1 ^. 

The choice of parameters will have to be pertinent 
enough to conciliate cost and security. Although less im- 
portant, some sizes have also to remain reasonable : the 
length of {s, j}, the cost of the verification and the size of 
H that is for a Goppa code : 2 m tm. 

Following [11] we can for example take t = 9 and m = 16. 
The cost of the signature stays then relatively reasonable 
for a security of about 2 80 . The others sizes remain in that 
context very acceptable. 
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B. Practical values 

The big difference when using the parameters associated 
to the CFS scheme is that the code used is very long, 2 16 
against 2 9 for the basic Stern scheme, it dramatically de- 
velops communication costs. 

In the next table we sum up for the parameters m = 16, 
t = 9 the general parameters of the IBI and IBS schemes. 



public key 


private key 


matrix size 


tm 


tm 


2 m tm 


144 


144 


1 Mo 



communication cost 


key generation 


w 2 m x grounds 




500 Ko (58 rounds) 


1 s 



Practical values for the IBI scheme : m = 16, t = 9 



signature length 


key generation 


« 2 m x grounds 




2.2 Mo (280 rounds) 


1 s 



Practical values for the IBS scheme : m = 16, t = 9 

Reduction of the size of the public matrix : At the 

difference of a pure signature scheme in which one wants 
to be able to sign fast, in our scheme the signature is only 
computed once for sending it to the prover, hence the time 
for signing may be judged less determinant and a longer 
time of signature may be accepted at the cost of reducing 
(a little) the parameters of the public matrix. 

IX. Conclusion 

IN this paper we present and prove secure a new identity- 
based identification scheme based on error-correcting 
codes. Our scheme combines two well known schemes by 
Courtois-Finiasz-Sendrier and Stern. It inherits some of 
their practical weaknesses, such as large system parame- 
ters. Interestingly the new scheme is one of the very few 
existing alternatives to number theory for identity-based 
cryptography, and we hope that it boosts future research 
on this area. 
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